Stitch is now HIPAA-compliant and here’s why that matters

Thanks to Philly’s documented strengths in the health IT sector, likely you’ve heard of HIPAA compliance.

The term stands for Health Insurance Portability and Accountability Act, a 1996 bill that, among other things, sets the guidelines for the safe-keeping of sensitive patient data. When said of a software platform, HIPAA compliance generally means the tool is able to protect patients’ information as it performs its main function.

Up until now, Center City–based Stitch had been unable to offer its customers what’s known as a business associate agreement (BAA), a guarantee that its platform was “up to code” with the set of regulations. After a two-month process, the company announced in a blog post Tuesday that it was all clear to offer its ETL (extract, transform and load) data platform to companies using sensitive data.

“We weren’t able to service customers whose data was covered under HIPAA,” said Stitch Chief Technology Officer Christopher Merrick. “We’ll now be able to sign those agreements for our customers and confirm that we comply with necessary regulations.”

(Quick catch-up on what Stitch actually does: The online tool lets developers extract, transform and load data from sources and into different targets.)

So what does HIPAA compliance actually mean? First up, it means all data that goes through Stitch’s system is now encrypted end-to-end regardless of where it is: in a hard drive, up in the cloud, etc.

Got PHI data but you just can't get it to your data warehouse? Hungry Hungry HIPAA your favorite party game? Are BAAs and sheep entirely unrelated concepts in your worldview? Great news – Stitch is now HIPAA compliant! https://t.co/05McUAmljd pic.twitter.com/e7Tb1OM3cC

— Stitch Data (@stitch_data) January 16, 2018

“We have to have really good chain of custody of the data,” Merrick said. “We can’t start using other services to process data without getting into a contractual agreement with them.”

Another piece of the puzzle involves having access audits in place: Any action performed on the data is recorded in a log. Per Merrick, an RJMetrics alum who transitioned to Stitch following the company’s acquisition/spinout combo move in August 2016, educating employees and creating documentation on security protocols were two big elements of the process.

“We decided to do this in response to demand,” said Merrick. “We were already knocking on the right doors and it was a hangup for some companies. We’re excited to be able to service those customers now.”

What does this mean for Stitch from here on out? Will it become a health IT-focused company? Not exactly: the privacy measures in place will apply to all users regardless of vertical, but it does open the door to more possible customers. Plus, Merrick explains, the healthcare sector might find value in Stitch’s service.

“In the universe of healthcare, data tends to be scattered and messy so that’s a situation we can help people solve,” Merrick said. “It will certainly expose us to new customers.”